The internet was designed to be easy to use. As its use expanded rapidly, what was needed was a scalable system for associating an internet host’s name with its IP address. Therefore, the domain name system (DNS) was developed.
DNS is sometimes referred to as the phone directory for the internet, acting as a lookup service to ensure that emails are sent to the correct server and mailbox and that website requests reach the real address. On a technical level, computers work with binary identifiers that are used to locate and address computer resources, but strings of numbers are difficult for humans to remember.
Because of this, DNS was invented to translate numerical identifiers into domain addresses that are meaningful to humans, associating the names with IP (internet protocol) addresses. For example, without DNS, a user would have to remember and type in “220.127.116.11” in order to reach popular web search engine Google.
When DNS was invented, security was not considered to be an over-riding concern; ease of use was the priority and it has achieved that and is credited with enabling the widespread growth of the use of the internet. However, it has long been known to have a number of security issues. Among these vulnerabilities is that of cache poisoning, which allows a hacker to impersonate a real DNS server and insert a rogue IP address that can take a user to a spoofed website, which can lead to exploits such as identity theft, malware distribution and dissemination of false information—any of which can harm the brand of the organisation that has had its web presence hijacked.
To counter the known security issues, DNS security extensions (DNSSEC) was developed, which is a suite of security extensions that provide authentication regarding the origin of DNS records, using digital signatures to provide assurance of the integrity of the DNS record. DNSSEC is nothing new—in fact, it was developed around 12 years ago—but it has not yet been widely deployed.
DNS works as a hierarchy, at the top of which are 13 root servers, spread throughout the world. These root servers are the name servers that answer requests from other authoritative name servers down the hierarchy. As such, they are critical because they are the first step in translating names that are readable to humans into IP addresses.
One of the key reasons holding up deployment of DNSSEC is that it works with digital signatures and certificates. Only when the name servers have been signed digitally can it be certain that they are trusted domains. At the apex of the DNS hierarchy, the root servers needed to be signed—and that has only just happened, in July 2010. Until that happened, there was a chicken-and-egg situation—why would anyone deploy DNSSEC when there were no servers to validate the responses?
Now that that situation has been resolved and top level domains such as .org and .com that form the next level down the hierarchy are being signed, DNSSEC is ready for prime time. Now is the time for organisations to implement DNSSEC themselves. Doing so will allow them to safeguard their valuable web presence and guard against the financial and brand impact of having their website hijacked by hackers.